b"                                            Department of Energy\n                                                 Washington, DC 20585\n\n                                                 September 1, 2004\n\n\n\n\nThe Honorable Gaston L. Gianni, Jr.\nInspector General\nFederal Deposit Insurance Corporation\n801 17th Street, NW, Room 1096\nWashington, D.C. 20434\n\nDear Mr. Gianni:\n\nWe have reviewed the system of quality control for the audit function of the Federal Deposit\nInsurance Corporation (FDIC) Office of Inspector General (OIG) in effect for the year ended\nMarch 31, 2004. We conducted our review in conformity with standards and guidelines\nestablished by the President's Council on Integrity and Efficiency (PCIE). We tested compliance\nwith the FDIC OIG's system of quality control to the extent we considered appropriate. These\ntests included a review of the audits identified in the Enclosure.\n\nIn performing our review, we considered the Policy Statement on Quality Control and External\nReviews, dated February 2002, issued by the PCIE. According to that Statement, an OIG's\nquality control policies and procedures should be appropriately comprehensive and suitably\ndesigned to provide reasonable assurance that the objectives of quality control will be met. The\nStatement also recognizes that the nature, extent and formality of an OIG's system of quality\ncontrol depends on various factors such as the size of the OIG, the location of its offices, the\nnature of the work, and its organizational structure.\n\nIn our opinion, the system of quality control for the audit function of the FDIC OIG in effect for\nthe year ended March 31, 2004, has been designed in accordance with the quality standards\nestablished by the PCIE and was being complied with for the year then ended to provide the OIG\nwith reasonable assurance of material compliance with professional auditing standards in the\nconduct of its audits. Therefore, we are issuing an unqualified opinion on your system of audit\nquality control.\n\nWe have identified, in a separate Letter of Comments dated August 31, 2004, other matters that\ncame to our attention which do not affect our overall opinion.\n\n                                             Sincerely,\n\n\n\n\n                                             Gregory H. Friedman\n                                             Inspector General\nEnclosure\n\x0cScope and Methodology\n\nWe conducted the Peer Review in accordance with the PCIE Guide for Conducting External\nQuality Control Reviews of the Audit Operations of Offices of Inspector General, issued during\nFebruary 2002, and subsequently revised through March 2004.\n\nWe reviewed the last peer review report on the FDIC OIG audit function, issued by the U.S.\nAgency for International Development on January 25, 2002, and the related peer review working\npapers. To obtain an understanding of the audit operation and the internal quality control\nsystem, we reviewed the FDIC OIG\xe2\x80\x99s audit policies and procedures. We considered controls\nsuch as those in place to ensure that only qualified staff is hired, that continuing professional\neducation requirements are met, and that independence is maintained. To obtain an\nunderstanding of the FDIC OIG\xe2\x80\x99s internal quality assurance program, we reviewed related\npolicies and procedures, interviewed responsible staff, and reviewed internal quality assurance\nreports.\n\nWe tested compliance with the FDIC OIG\xe2\x80\x99s system of quality control to the extent that we\nconsidered appropriate. These tests included a review of 6 of 36 audit reports issued between\nApril 1, 2003, and March 31, 2004. We did not review the financial statement audit and\nmonitoring activities covering the FY 2003 financial statements for the FDIC OIG since that\naudit is performed by the U.S. General Accounting Office.\n\nThe report numbers and titles of the selected audits are listed in the table below.\n\n                                         Audits Reviewed\n\n\nReport Number         Report Date                              Report Title\n\n03-038              09/12/2003         The Role of Prompt Corrective Action (PCA) as Part of the\n                                       Enforcement Process\n03-045              09/29/2003         New Financial Environment Scope Management Controls\n03-047              09/30/2003         Contract Terms and Oversight Management Related to\n                                       ARAMARK Services Inc.,\n                                       Contract No. 00-00611-C-J3\n04-012              03/16/2004         Tennessee Land Investors Limited Partnership\n04-013              03/26/2004         FDIC\xe2\x80\x99s Reliance on State Safety and Soundness\n                                       Examinations\n04-014              03/26/2004         XBAT Contracting and Project Management\n\n\n\n\n                                                 2\n\x0c                                             Department of Energy\n                                                  Washington, DC 20585\n\n                                                  September 1, 2004\n\n\n\n\nThe Honorable Gaston L. Gianni, Jr.\nInspector General\nFederal Deposit Insurance Corporation\n801 17th Street, NW, Room 1096\nWashington, D.C. 20434\n\nDear Mr. Gianni:\n\nWe have reviewed the system of quality control for the audit function of Federal Deposit\nInsurance Corporation Office of Inspector General (FDIC OIG) in effect for the year ended\nMarch 31, 2004, and have issued our report thereon dated August 31, 2004, in which we\nrendered an unqualified opinion on the FDIC OIG system of quality control for its audit function.\nThis letter should be read in conjunction with that report.\n\nOur review was for the purpose of reporting whether the OIG\xe2\x80\x99s internal quality control system\nwas designed in accordance with the quality standards established by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency (PCIE) and was being complied with that system for the year reviewed\nto provide reasonable assurance of material compliance with professional auditing standards in\nthe conduct of its audits. We conducted our review in conformity with standards and guidelines\nestablished by the PCIE. Our review would not necessarily disclose all weaknesses in the system\nor all instances of noncompliance with it because our review was based on selective tests.\n\nThere are inherent limitations that should be recognized in considering the potential effectiveness\nof any system of quality control. In the performance of most control procedures, departures can\nresult from misunderstanding of instructions, mistakes of judgment, carelessness, or other\npersonal factors. Projection of any evaluation of a system of quality control to future periods is\nsubject to the risk that one or more procedures may become inadequate because of changes in\nconditions or that the degree of compliance with procedures may deteriorate.\n\nAs a result of our review, we identified reportable conditions, which we considered in\ndetermining our opinion set forth in our report dated August 31, 2004. A reportable condition\nfor peer review purposes represents a significant deficiency in the design or operation of the\nreviewed organization\xe2\x80\x99s internal control that could adversely affect the organization\xe2\x80\x99s ability to\ncomply with applicable auditing standards and established auditing policies and procedures.\n\nThe two reportable conditions that we identified are discussed in the following paragraphs.\nDuring our review, we provided additional information about these conditions, including a listing\nof the applicable audits, to your office.\n\x0cReportable Conditions\n\nWe believe that the conditions addressed in this section represent opportunities for improvement\nof the FDIC OIG\xe2\x80\x99s system of quality control. While we did not identify a material effect to the\nreported audit findings and conclusions resulting from the conditions discussed below, we\nbelieve that the potential exists for these conditions to adversely affect audit operations.\n\nIt should be noted that the FDIC OIG's internal quality assurance program identified some of the\nsame issues that we raise as a result of our peer review. We were advised that corrective actions\nhad been taken, as detailed in the recent concurrence by the Director of Supervision and\nInsurance Audits to the internal quality assurance report dated April 20, 2004.\n\nIn performing our work, we considered the results of the prior peer review of the FDIC OIG, for\nwhich the U.S. Agency for International Development issued a report dated January 25, 2002.\nWe found that the nine open recommendations contained in the Letter of Comments from that\npeer review have been addressed.\n\nFinding 1. Quality Control \xe2\x80\x93 Review and Resolution of Referencing Points\n\nThe FDIC OIG considers referencing to be one of the key aspects of its internal control system,\nand an essential step in ensuring overall audit report quality. Policies and procedures have been\nestablished for indexing reports to supporting assignment documentation and the subsequent\nverification of the supporting evidence by an independent referencer as a control to assure\ncompliance with the Government Auditing Standards requirement for reporting accuracy.\n\nThe FDIC OIG Audit Manual 330.2 \xe2\x80\x93 Indexing and Referencing of Reports requires the Auditor-\nin-Charge to respond to points raised by the independent referencer on the Referencing Point\nSheet with comments as to the action taken to indicate whether changes were made in response\nto issues/questions identified. Any remaining open points should be submitted to the Director\nfor review and possible resolution. After all the points have been resolved, the Auditor-in-\nCharge, independent referencer, and Director are required to sign the Referencing Point Sheet. If\nthe comments cannot be resolved between the referencer, Auditor-in-Charge, and Director, the\ncomments should be elevated to the Deputy Assistant Inspector General for Audits (DAIGA) for\nresolution. Only the DAIGA can pass on points identified by the referencer. In addition to the\nReferencing Point Sheet, the Audit Manual also requires completion of the Referencing\nChecklist to ensure that referencing requirements have been performed. This checklist has\nseparate sections for the Director, Auditor-in-Charge, and referencer to complete and sign\ncertifying that all referencer\xe2\x80\x99s comments have been adequately resolved. The Director has\noverall responsibility for ensuring that reports are fully indexed to supporting documentation and\nindependently referenced.\n\nWe noted that four of the six audits reviewed did not have the Auditor-in-Charge\xe2\x80\x99s response or\nactions taken to resolve all of the points raised by the referencer. In addition, one audit had no\nsignature on the Referencing Checklist to indicate final approval by the Director. FDIC OIG\nmanagement explained that there were other certification forms signed by the Director, Auditor-\nin-Charge and referencer that are designed to provide assurance on the quality of the report.\nThese certification forms are meant as an additional compensating control. However, we feel if\n\n\n                                                2\n\x0cthe required detailed documentation of the process they are intended to certify is incomplete, the\nadditional assurance that outstanding referencer points are addressed is lacking.\n\nRecommendation. FDIC OIG management should reemphasize its policy on referencing and\ncompletion of the Referencing Point Sheet and Referencing Checklist. Specific emphasis should\nbe placed on existing requirements for the Auditor-in-Charge to document all responses and/or\nactions taken to resolve the points raised by the referencer and the Director to sign off certifying\nthat all referencing points have been adequately resolved.\n\nViews of Responsible Officials. FDIC OIG management concurred and plans to issue a staff\nadvisory by October 22, 2004, reemphasizing the policy on referencing, including completion of\nthe Referencing Point Sheet and the Referencing Checklist. On August 10, 2004, the\nReferencing Point Sheet was enhanced to include an additional column for the referncer to initial\nhis/her agreement to the Auditor\xe2\x80\x99s individual responses/actions; and an \xe2\x80\x9cAll Cleared\xe2\x80\x9d box is now\nincluded on the form for the referencer\xe2\x80\x99s initials and date satisfying such action has occurred. In\naddition, training to cover the independent referencing process is planned for November 2004.\n\nFinding 2. Supervisory Review and Documentation\n\nThe second field work standard for performance audits under Government Auditing Standards is\nstaff is to be properly supervised. Supervision involves directing the efforts of auditors and\nothers that are involved in the audit to determine whether the audit objectives are being\naccomplished. The FDIC OIG Audit Manual expresses the view that supervision is one of the\nmost important aspects of ensuring assignment quality and that these reviews of assigned work\nmust be documented and maintained in the assignment documentation. By conducting reviews,\nsupervisors can also satisfy themselves that the staff clearly understands what work is expected\nto be performed, why the work is being conducted and what the work is expected to accomplish.\nThere should be documented evidence of supervisory reviews in the assignment documentation.\nTo be beneficial, the supervisory involvement must start early in the audit and continue in a\ntimely manner to ensure that the efforts are redirected, when appropriate, and that all of the\nnecessary work is performed. In our review, three issues surfaced involving documentation to\nsupport that all assigned work was performed and that the staff was being provided with timely\nsupervision.\n\nThe FDIC OIG Audit Manual 320.6 \xe2\x80\x93 Preparation and Review of Assignment Documentation\nrequires supervisory review of assignment documentation be documented and retained. The\nAuditor-in-Charge is responsible for monitoring and oversight of assigned staff and for\nreviewing all assignment documentation they prepare. The Office of Audits Director is\nresponsible for reviewing all assignment documentation prepared by the auditor-in-charge.\nThese supervisory reviews must be made periodically to ensure that the work is progressing\nsatisfactorily and supports the reported findings, opinions, conclusions and recommendations.\n\nOur review noted that not all work papers had the required documentation as evidence of\nsupervisory reviews. We found assignment documentation that was (i) not signed off by the\npreparer and reviewer; (ii) dated as being reviewed before the date they were prepared; (iii) not\nindexed and cross-indexed or was incorrectly indexed; and, (iv) prepared and reviewed by the\nsame person. We also found open reviewer notes, signatures missing from checklists, and\n\n\n                                                 3\n\x0cincomplete checklists. Since the previous peer review, the FDIC OIG implemented an electronic\nwork paper software program to document audits. Most of the lacking documentation of timely\nsupervisory reviews can be attributed to the recent implementation of TeamMate and the fact that\nsupervisory reviews are required each time a work paper is modified.\n\nWe did find evidence of adequate levels of supervision from planning to audit report issuance on\nkey control documents. However, the missing sign-off dates and checklists indicate that\ndocumentation related to supervision needs improvement to ensure evidence that supervisory\nreviews were performed.\n\nThe FDIC OIG Audit Manual 320.3 \xe2\x80\x93 Assignment Programs states that the assignment program\nrepresents a contract between the Office of Audits Director and the team concerning the work to\nbe performed. The purpose of assignment programs is to provide early guidance and an\nunderstanding between a supervisor and staff on the detailed procedures and techniques for\ncollecting and analyzing sufficient, competent, and relevant evidence to address the assignment\nobjectives within the approved milestones. The Manual requires all assignment program steps be\nindexed to the supporting documentation. Any step not performed should be annotated to\nprovide a brief explanation to why the step was not performed. The Manual also states that if\nmajor changes in the scope occur as the assignment proceeds, the program should be modified\nand the Office of Audits Director should approve any major changes.\n\nFor two of the six audits reviewed, we found some assignment program steps that were not\nindexed to supporting documentation. Even though workpaper indexing on the approved\nassignment program was absent, we noted that the program steps were sufficiently performed to\nanswer the audit objectives. However, by not indexing the workpapers to the assignment\nprogram, steps appeared to be omitted from the audit and there is an increased risk that all the\nrequired work needed to support coverage of the audit objective was not completed during the\nassignment.\n\nThe FDIC OIG Audit Manual 320.6 \xe2\x80\x93 Preparation and Review of Assignment Documentation\nrequires that assignment documentation must contain the purpose for preparing the\ndocumentation, the source of the information, the scope of the review, applicable criteria,\nsufficient explanation of analytical methods and formulas used, the results of the review, and the\nassignment team\xe2\x80\x99s conclusions.\n\nWe found workpapers that did not always contain the required elements for the six audits\nreviewed. However, none of these examples affected the accuracy of the final audit reports.\nAudit documentation (1) provides the principal support for the auditor's report; (2) aids auditors\nin conducting and supervising the audit; and, (3) allows for the independent review of audit\nquality. The preparation of audit documentation should be appropriately detailed to provide a\nclear understanding of its purpose, source and the conclusions the auditors reached. It should\nalso be organized to provide a clear link to the findings, conclusions, and recommendations\ncontained in the audit report.\n\nRecommendation. \xe2\x80\x93 FDIC OIG management should reemphasize its existing policy (1) to index\nsupporting documentation to completed steps in the audit program; (2) that requires proper\ndocumentation to show evidence of supervision in all workpaper files; and (3) to include all four\n\n\n                                                 4\n\x0celements on each workpaper or include a reference to where the four elements can be found\nelsewhere in the workpaper files.\n\nViews of Responsible Officials. FDIC OIG management concurred and stated after the audits\nsubject to peer review were completed, additional guidance was issued to staff that discussed\nprocedures for preparing audit documentation (work paper files) as the assignment progresses\nand archiving audit documentation upon assignment completion. Specific actions included staff\nadvisories on Assignment Documentation (dated March 26, 2004) and Supervision (dated April\n13, 2004), and administrative procedures on Archiving Office of Audits Assignment\nDocumentation (dated March 31, 2004). In addition, training to reemphasize the policy on\nsupervisory reviews and documentation, to include the specific elements identified above is\nplanned for November 2004.\n\nWe appreciate the cooperation and courtesies extended by your audit executives and staff to our\npeer review team.\n\n                                            Sincerely,\n\n\n\n\n                                            Gregory H. Friedman\n                                            Inspector General\nEnclosure\n\n\n\n\n                                               5\n\x0cFederal Deposit Insurance Corporation                                                         Office of Audits\n801 17th Street NW, Washington, DC 20434                                         Office of Inspector General\n\n\n\n\nDATE:                                  December 8, 2004\n\nMEMORANDUM TO:                         Gaston L. Gianni, Jr.\n                                       Inspector General\n\n\n\nFROM:                                  Russell A. Rau\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Completion of Corrective Actions Recommended During\n                                       Recent Peer Review\n\nThe Department of Energy\xe2\x80\x99s Office of Inspector General (DOE OIG) conducted an external peer\nquality assurance review of the Office of Audits (OA) and concluded that our system of quality\ncontrol has been designed in accordance with the quality standards established by the President's\nCouncil on Integrity and Efficiency and provided reasonable assurance of conforming with\napplicable professional standards, including Government Auditing Standards. In a separate\nLetter of Comments (LOC) dated August 31, 2004, the DOE OIG discussed matters that came to\nits attention in the course of its review that did not affect its overall opinion but required\ncorrective action. The LOC provided two recommendations for corrective action, and the OA\nhas completed steps necessary to resolve and disposition both of them.\n\nA description of each of the DOE OIG\xe2\x80\x99s recommendations, our response to their\nrecommendations, and the corrective action implementation chronology are provided in the\nattachment.\n\nPlease let me know if you have any questions.\n\nAttachment\n\ncc:      Patricia M. Black\n         Sharon M. Smith\n         Stephen M. Beard\n\x0c                                                          Office of Audits\n                             Matrix of 2004 Peer Review Recommendations and Corrective Action Status\n                                                          December 2004\nNo.       Recommendation                            Corrective Action                                                                        Corrective Action\n                                                                                                                                             Status\n    1     Quality Control \xe2\x80\x93 Review and              (1) We will develop and conduct training covering the independent referencing            Completed December 2, 2004.1\n          Resolution of Referencing Points.         process that will reemphasize the policy on referencing, including completion of the\n          FDIC OIG management should                enhanced Referencing Point Sheet and Referencing Checklist. We also plan to\n          reemphasize its policy on referencing     conduct referencing training at our staff conference in December 2004. Corrective\n          and completion of the Referencing         action will be completed by December 31, 2004.\n          Point Sheet and Referencing Checklist.\n          Specifically, emphasis should be placed   (2) We will develop and issue a staff advisory reemphasizing the policy on\n          on existing requirements for the          referencing, including completion of the enhanced Referencing Point Sheet and the        Completed November 24, 2004.\n          Auditor-in-Charge to document all         Referencing Checklist. Corrective action will be completed by October 22, 2004.\n          responses and/or actions taken to\n          resolve the points raised by the          (3) We enhanced the Referencing Point Sheet to include an additional column for\n          referencer and the Director to sign off   the referencer to initial his/her agreement to the auditor's individual\n          certifying that all referencing points    responses/actions. Further, an \xe2\x80\x9cAll Cleared\xe2\x80\x9d box appears on the form for the             Completed August 10, 2004.\n          have been adequately resolved.            referencer\xe2\x80\x99s initial and date, signifying such action has occurred. The revised\n          .                                         Referencing Point Sheet is now part of the standard referencing assignment\n                                                    instructions. Corrective action was completed on August 10, 2004.\n\n    2     Supervisory Review and                    (4) After the audits subject to peer review were completed, we issued additional         Completed April 13, 2004.\n          Documentation. FDIC OIG                   guidance to staff that discusses procedures for preparing audit documentation (working\n          management should reemphasize its         paper files) as the assignment progresses and archiving audit documentation upon\n          existing policy (1) to index supporting   assignment completion. Specific actions include staff advisories on Assignment\n          documentation to completed steps in       Documentation (dated March 26, 2004) and Supervision (dated April 13, 2004), and\n          the audit program; (2) that requires      our administrative procedures on Archiving Office of Audits Assignment\n          proper documentation to show evidence     Documentation (dated March 31, 2004). Corrective action was completed on\n          of supervision in all working paper       April 13, 2004.\n          files; and (3) to include all four\n          elements on each working paper or         (5) We will conduct training to reemphasize the policy on supervisory reviews and\n          include a reference to where the four     documentation. In conjunction with the corrective action item (1), the course content    Completed December 2, 2004.2\n          elements can be found elsewhere in the    will be expanded to include the specific elements identified in the recommendation of\n          working paper files.                      Finding 2. Corrective action will be completed by December 31, 2004.\n\n\n\n\n1\n    Training provided at the Office of Audits staff conference, December 1-3, 2004.\n2\n    Ibid.\n\x0c"